I have worked in the past with ASP.NET MVC, using that to call a database directly, via Entity Framework. Cookies were set by the ASP.NET MVC app to authenticate and authorize the user.
With ASP.NET Web API, we used an Angular client to get a access token from the Web API. The access token was sent to API on each request to know who the user was triggering the request.
Recently I have been asked to work on an ASP.NET MVC app which needs to do all database work through the Web API. Before starting I wanted to know how would authenticate and authorization work here? If using cookies, should the API be the one to make the cookie and return it, ASP.NET MVC would store the cookie in the browser. Would this approach allow ASP.NET MVC to authenticate the controller calls, making sure ASP.NET MVC blocks calls without a valid cookie? Same time the cookie would be sent to the API, via HttpClient, and since the API made the cookie, API should know who the user is when updating entries in the database with user info.
Or should ASP.NET MVC be the one to make the cookie, after the API returns a valid response from login? But then would API have anyway to know who the user is on later requests if it was not the one which made the cookie?
Both ASP.NET MVC and API will be running on different servers.
